> If all you have is a pcap with some protocol packets in it, how would
> you know how much of the actual protocol specification (the possible
> set of fields that the packets could carry) is being covered? This is
> a useful metric to have when writing a dissector or IPS/DPI
> signatures. This is much in the spirit of code coverage.
>
> We used the Wireshark dissector documentation as the authoritative
> reference and then indexed all the protocol fields in the repository
> to see where we stand. You can check it out here:
>
> http://www.pcapr.net/browse/fields
>
> Besides, the index makes searching for pcaps with specific fields a
> whole lot easier. Looking for a SIP pcap that contains the
> WWW-Authenticate header? No problem, just type in
> "field:sip.www.authenticate" in the search bar and off you go. How
> about chunked-encoded HTTP stream with exploit.php? Search for
> "field:http.transfer.encoding AND exploit.php".
>
> Enjoy,
>
> K.
>
>